OPM reveals new details about data-breach victims

The Office of Personnel Management says victims of a massive data breach include current and former federal employees whose records were sent by their organizations to OPM for future retirement processing.

The agency updated the Frequently Asked Questions section of its website Thursday with a few more details about the files hackers accessed. OPM previously stated that the breach affected 4 million current and former federal employees. It now says that estimate includes employees of any branch of the government whose organizations sent records to OPM for retirement purposes, regardless of whether the employee’s full personnel file is stored on OPM’s network.

“These records include service history records (such as the SF 2806), court orders, and other records and information that pertain to annuity calculations,” OPM said on the website.

Those records include sensitive information such as names, Social Security numbers and birth dates. They may also contain an employee’s job assignments, training records and benefit selections, OPM says.


OPM maintains personnel records for most, but not all, civilian agencies. Other federal organizations may submit an employee’s service-history documentation to OPM on certain occasions, the agency warned. Those include when an employee transfers from one agency to another, leaves an agency, or when the agency changes its payroll service center.

OPM said it believes active military personnel were not affected, although current and former Defense Department civilian employees were. It cautioned that it is still investigating the incidents, and new information might cause it to revise those statements.

Victims should receive notices by email or post from CSID, a company that OPM has contracted with to provide identity- protection services. OPM said it will finish sending those notices out today, but it may take a few more days to arrive.

In comparison to the details shared about this data breach, OPM has said little about a more recently announced breach reported to put 14 million people at risk.

Investigators discovered that breach in the course of investigating the first attack. The larger breach compromised security-clearance holders and applicants’ records. OPM said it is still determining the scope of that intrusion. It expects to notify victims at some point, it said.

“The investigation is still ongoing, and we will notify affected individuals as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals,” it said.

OPM has tried to reassure those going through background investigations now that their data is secure. It still is processing those files. It said it is working closely with the White House, Homeland Security Department and others to safeguard that data.

“Protecting the security and integrity of the information entrusted to OPM is central to our mission, and we will continue to keep you apprised as the investigation continues,” OPM said.

OPM has been criticized by federal employee groups and members of Congress for the lack of information it has shared with the public about the two breaches.

OPM Director Katherine Archuleta refused to answer many questions posed by lawmakers at a congressional hearing earlier this week. She said those questions were best discussed in a classified setting.

Since then, a number of lawmakers have called on Archuleta to step down.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.


OPM’s lack of transparency on cyber breach leaves feds frustrated, ill informed

OPM’s archaic IT infrastructure opened door for massive data breach

Agencies notify employees of second cyber breach